The University of Texas at El Paso Information Security

The University of Texas at El Paso
Information Security Office
Security Exception Reporting Process
1
Contents
Purpose ......................................................................................................................................................... 3
Scope ............................................................................................................................................................. 3
General .......................................................................................................................................................... 3
Roles and Responsibilities ............................................................................................................................. 3
Revision History ............................................................................................................................................ 4
Approvals ...................................................................................................................................................... 4
2
Purpose
This Security Exception Reporting Process 1 serves as a supplement to The University of Texas at El Paso
Information Resources Use and Security Policy, and the implementation of UTS165 Information
Resources Use and Security Policy. Adherence to the process will increase the security of systems and
help safeguard university information technology resources.
It is the intent of the Information Security Office (ISO) that all owners and custodians of Information
Resources adopt University Information Resources Use and Security policies and procedures. However,
there will be situations where the strict application of a policy would significantly impair the
functionality of a service and the policy or procedure must be modified to accommodate specific
requirements. This process provides a method for documenting an exception to compliance with a
published university security policy or procedure.
Scope
This process applies to all published University Information Resources Use and Security Standards and
Procedures. This process does not apply to specific department standards or procedures.
General
An exception to a published policy or procedure may be granted in any of the following situations:
• Temporary exception, where immediate compliance would disrupt critical operations;
• Another acceptable solution with equivalent protection is available;
• A superior solution is available. An exception will be granted until the solution can be reviewed;
and standards or procedures can be updated to allow for the better solution;
• A legacy system is being retired (utilize a process to manage risk);
• Lack of resources.
Roles and Responsibilities
The UTEP Chief Information Security Officer (CISO) must approve all exceptions to University policy. The
Information Security Office is available for assistance at all stages of this process. The Exception Request
must be submitted by the Information Resource owner and/or custodian to the Information Security
Office using the Security Exception Request Form.
The Security Exception Request must include:
• Description of the non-compliance;
• Anticipated length of non-compliance;
• Assessment of risk associated with non-compliance;
• System(s) associated (e.g., host names or IP addresses, etc.);
Adapted from the “Security Exception Request” (https://ut.servicenow.com/utss/catalogoverview.do?sysparam_citems_id=4ad65c7c4ff9d200f6897bcd0210c782&sysparam_cat_id=
e0d08b13c3330100c8b837659bba8fb4%2CInformation%20Technology&sysparam_sys_id=%3Csubcategory.parent
%3E%2CTechnology%20Infrastructure%20&%20Management&sys_click_name=features), with permission from
ITS, The University of Texas at Austin, Austin, Texas 78712-1110
1
3
•
•
•
•
Data Classification Category(s) of associated system(s);
Plan for alternate means of risk management;
Metrics to evaluate success of risk management (if risk is significant);
Review date to evaluate progress toward compliance ;
The Chief Information Security Officer may report exceptions to University Information Security Policies
to University Compliance Officials, as described in The University of Texas at El Paso Information
Resources Use and Security Policy.
Revision History
Version
Date
Author
1.0
12/20/2010
ISO
1.1
12/21/2015
ISO
1.2
4/7/2016
ISO
1.3
4/20/2017
ISO
Description of Change
Converted document to
PDF and posted online
Updated document to
reflect CISO approval of
Exceptions as opposed
to IT owner. Updated
links to point to most
current ISO Policy and
Standards documents.
Uploaded latest
document in PDF to ISO
website
Spelling correction
made to Security
Exception Request
Form, clarification to
add “device/
information resource”,
and link updates as
needed.
Approvals
Name
Title
Role
Date
Gerard D Cochrane Jr
Gerard D Cochrane Jr
Gerard D Cochrane Jr
Chief Information Security Officer
Chief Information Security Officer
Chief Information Security Officer
Approval
Approval
Approval
12/20/2010
12/21/2015
4/20/2017
4
Download PDF
Similar pages